Gpupdate not updating computer policy

This figure depicts risk to managed assets if an attacker gains control of a user workstation where sensitive credentials are used.An attacker in control of an operating system has numerous ways in which to illicitly gain access to all activity on the workstation and impersonate the legitimate account.Credential Guard and Microsoft Passport Introduced in Windows 10, Credential Guard uses hardware and virtualization-based security to mitigate common credential theft attacks, such as Pass-the-Hash, by protecting the derived credentials.

gpupdate not updating computer policy-19

The clean source principle requires all security dependencies to be as trustworthy as the object being secured. Any subject in control of an object is a security dependency of that object.

If an adversary can control a security dependency of a target object (subject), they can control that object.

While this approach is similar to PAW in providing a dedicated OS for administrative tasks, it has a fatal flaw in that the administrative VM is dependent on the standard user desktop for its security.

The diagram below depicts the ability of attackers to follow the control chain to the target object of interest with an Admin VM on a User Workstation and that it is difficult to create a path on the reverse configuration.

Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors.

Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.

This section contains information on how the security of alternate approaches compares to PAW and how to correctly integrate these approaches within a PAW architecture.

All of these approaches carry significant risks when implemented in isolation, but can add value to a PAW implementation in some scenarios.

This practice uses an individually assigned administrative account that is completely separate from the user's standard user account.

Tags: , ,